QRadar Network Packet Capture Query Language (NTQL)

Use the QRadar® Network Packet Capture Query Language (NTQL) to retrieve data from packets that are captured.

For example, you can use NTQL for the following types of information:

IPv4 host addresses, as source, destination or either
IPv6 host addresses, as source, destination or either
TCP or UDP port numbers, as source, destination or either
Layer 3 protocol carried by Ethernet frames
Layer 4 protocol carried by IP packages
Combinations of these with logical and and or

Note: NTQL is case sensitive.

Matching everything

An empty NTQL string matches all packets, which is useful when the number of matches is limited.

Host address search

To search for packets sent to a specific host, enter the following string:

src host <IP address>

To search for packets sent from a host, enter the following string:

dst host <IP address>

Port number search

To search for packets that were sent to or from a TCP or UDP port, enter the following string:

port <number>

Packets that are sent by using protocols that have no port numbers are discarded by this search.

To narrow down the search results to packets that were sent from a specific port, enter the following string:

src port <number>

To search for packets that were sent to a specific port, enter the following string:

dst port <number>

Layer 3 protocol search

To search for packets that use a specific layer 3 protocol, enter the following string:

l3proto <protocol>

where <protocol> is either a protocol number or a name. These are the supported protocol names:

arp
ip
ip4
ip6
ipv4
ipv6
lldp
ptp

When ip is given as protocol, IPv4 is used.

Layer 4 protocol search

To search for packets that use a specific layer 4 protocol, enter the following string:

l4proto <protocol>

where <protocol> is either a protocol number or a name. These are the supported names:

3pc
ah
argus
aris
ax.25
bbn-rcc-mon
bna
br-sat-mon
cbt
cftp
chaos
compaq-peer
cphb
cpnx
crtp
crudp
dccp
dcn-meas
ddp
ddx
dgp
egp
eigrp
emcon
encap
esp
etherip
fc
fire
ggp
gmtp
gre
hip
hmp
hopopt
i-nlsp
iatp
icmp
idpr
idpr-cmtp
idrp
ifmp
igmp
igp
il
ip-in-ip
ipcomp
ipcu
ipip
iplt
ippc
iptm
ipv6
ipv6-frag
ipv6-icmp
ipv6-nonxt
ipv6-opts
ipv6-route
ipx-in-ip
irtp
iso-ip
iso-tp4
kryptolan
l2tp
larp
leaf-1
leaf-2
manet
merit-inp
mfe-nsp
mhrp
micp
mobile
mobility-header
mpls-in-ip
mtp
mux
narp
netblt
nsfnet-igp
nvp-ii
ospf
pgm
pim
pipe
pnni
prm
ptp
pup
pvp
qnx
rdp
rohc
rsvp
rsvp-e2e-ignore
rvd
sat-expak
sat-mon
scc-sp
scps
sctp
sdrp
secure-vmtp
shim6
skip
sm
smp
snp
sprite-rpc
sps
srp
sscopmce
st
stp
sun-nd
swipe
tcf
tcp
tlsp
tp++
trunk-1
trunk-2
ttp
udp
udplite
uti
vines
visa
vmtp
vrrp
wb-expak
wb-mon
wesp
wsn
xnet
xns-idp
xtp

Combining search terms

These search terms can be combined into more complex expressions with and and or keywords. For example, to search for packets to or from 1.1.1.1 or 2.2.2.2, enter the following string:

host 1.1.1.1 or host 2.2.2.2

To search for packets that are both to and from 1.1.1.1 or 2.2.2.2, enter the following string:

host 1.1.1.1 and host 2.2.2.2

These keywords are left associative. For example, consider the following syntax:

port 42 and host 1.1.1.1 or host 2.2.2.2

The expression evaluates to the following:

sent to or from port 42 and to or from host 1.1.1.1, or
to or from host 2.2.2.2 without regard for the port numbers

You can change the left association by using parentheses, as shown in the following example:

port 42 and (host 1.1.1.1 or host 2.2.2.2)

The expression evaluates to find packets to or from port 42 that are to or from host 1.1.1.1 or 2.2.2.2.